Thursday, June 30, 2011

Attacking VMWare Guest Machines

Vulnerability Discovery
-Vulnerability identified on 5/14/09
-Reported to VMware on 5/15/09
-VMware responded on 5/21/09
-CVE-2009-3733 reserved on 10/20/09
-VMSA-2009-0015 released on 10/27/09
-"Directory Traversal vulnerability"

Identification
-Originally identified on VMware Server 2.0.1 build 156745 (on Ubuntu 8.04)
-Thought to be localized to inside of NAT interface of Host (8307/tcp)
-Can steal VMs from within other VMs... if NAT.

Description
-Web Access web servers also vulnerable
-Server (default ports 8222/8333) - ../ x 6
-ESX/ESXi (default ports 80/443) - %2E%2E/ x 6
-No longer requires NAT mode / Remotely exploitable
-Not as straightforward as originally thought
-Still trivial to exploit because...

Root Access Is Easy


How it works?


-Web server on 8308/tcp is vulnerable, but will only serve certain filetypes (xml, html, images, etc.)
-Web server on 8307/tcp is also vulnerable, but serves ALL filetypes
-Simply append /sdk to our URL request and we’ve got complete access to Host filesystem (including other Virtual Machines)
-ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)

Vulnerable Versions
Server
-VMware Server 2.x < 2.0.2 build 203138 (Linux)
-VMware Server 1.x < 1.0.10 build 203137 (Linux)

ESX/ESXi
-ESX 3.5 w/o ESX350-200901401-SG
-ESX 3.0.3 w/o ESX303-200812406-BG
-ESXi 3.5 w/o ESXe350-200901401-I-SG

Guest Stealer
-Perl script remotely ‘steals’ virtual machines from vulnerable hosts
-Supports Server, ESX, ESXi
-Allows attacker to select which Guest to ‘steal’
-Utilizes VMware configuration files to identify available Guests and determine associated files

VMINVENTORY.XML
-/etc/vmware/hostd/vmInventory.xml (default location)
-Gives us Guest inventory & location information





Mitigation
-Patch, patch, patch
-Hosts are an attractive target (compromise one = access many)
-Better yet...Segment, segment, segment
-Segment management interfaces
-Segment systems of different security levels
-Don’t share physical NICs between different security levels
-Virtualization is not always the "best answer"

Credits:  Justin Morehouse @ ShmooCon